Details
Description
There's a catch-22 in SASL mechanism negotiation with arbiters. In order for drivers not to have to do a second mechanism negotiation round trip, they need to add saslSupportedMechs to the initial ismaster command. This appears to fail on arbiters with a UserNotFound error. Instead, arbiters should reply with a normal ismaster response without a saslSupportedMechs field so that drivers can discover that the server is an arbiter after which they won't attempt authentication anyway.
Repro:
- set up a 3.7.3 server with authentication and a user
- connect with an old client (to avoid
SERVER-33947) - manually run ismaster with saslSupportedMechs
$ ~/mongodb/3.4.14/bin/mongo metis.local:57058
|
MongoDB shell version v3.4.14
|
connecting to: mongodb://metis.local:57058/test
|
MongoDB server version: 3.7.3
|
WARNING: shell and server versions do not match
|
MongoDB Enterprise foo:ARBITER> use admin
|
switched to db admin
|
MongoDB Enterprise foo:ARBITER> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"})
|
|
|
{
|
"operationTime" : Timestamp(1523475642, 1),
|
"ok" : 0,
|
"errmsg" : "Could not find user root@admin",
|
"code" : 11,
|
"codeName" : "UserNotFound"
|
}
|
By contrast, connecting to a secondary works:
$ ~/mongodb/3.4.14/bin/mongo metis.local:57048
|
MongoDB shell version v3.4.14
|
connecting to: mongodb://metis.local:57048/test
|
MongoDB server version: 3.7.3
|
WARNING: shell and server versions do not match
|
MongoDB Enterprise foo:SECONDARY> use admin
|
switched to db admin
|
MongoDB Enterprise foo:SECONDARY> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"})
|
{
|
"hosts" : [
|
"metis.local:57038",
|
"metis.local:57048"
|
],
|
"arbiters" : [
|
"metis.local:57058"
|
],
|
"setName" : "foo",
|
"setVersion" : 1,
|
"ismaster" : false,
|
"secondary" : true,
|
"primary" : "metis.local:57038",
|
"me" : "metis.local:57048",
|
"lastWrite" : {
|
"opTime" : {
|
"ts" : Timestamp(1523475952, 1),
|
"t" : NumberLong(3)
|
},
|
"lastWriteDate" : ISODate("2018-04-11T19:45:52Z"),
|
"majorityOpTime" : {
|
"ts" : Timestamp(1523475952, 1),
|
"t" : NumberLong(3)
|
},
|
"majorityWriteDate" : ISODate("2018-04-11T19:45:52Z")
|
},
|
"maxBsonObjectSize" : 16777216,
|
"maxMessageSizeBytes" : 48000000,
|
"maxWriteBatchSize" : 100000,
|
"localTime" : ISODate("2018-04-11T19:45:58.059Z"),
|
"logicalSessionTimeoutMinutes" : 30,
|
"minWireVersion" : 0,
|
"maxWireVersion" : 7,
|
"readOnly" : false,
|
"saslSupportedMechs" : [
|
"SCRAM-SHA-256",
|
"SCRAM-SHA-1"
|
],
|
"ok" : 1,
|
"operationTime" : Timestamp(1523475952, 1)
|
}
|